Configure Per-Computer Settings

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product., WatchGuard EDR Core This topic applies to the WatchGuard EDR Core, available in the Total Security Suite license.

On the Per-Computer Settings page, you create settings profiles that specify how often to install protection software updates on workstations and servers. You can also define settings to prevent tampering and unauthorized uninstallation of the protection software.

Settings vary for WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, and EPP. Throughout this documentation, WatchGuard Endpoint Security refers generally to all products. If you do not have a setting in the Endpoint Security management UI, it is not supported by your product.

To configure a per-computer settings profile:

1. In WatchGuard Cloud, select Configure > Endpoints.
2. Select Settings.
3. From the left pane, select Per-Computer Settings.
4. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the page, click Add to create a new profile.
   The Add Settings or Edit Settings page opens.

5. In the Name text box, type a name for the settings profile.
6. (Optional) In the Description text box, type a brief description of the settings profile.
7. Configure these settings, as required:
   • Configure Preferences
   • Configure Updates
   • Configure Security Against Tampering
   • Configure Shadow Copies
8. Click Save.
   The new settings profile displays in the list.
9. Select the profile and assign recipients, if required.
   For more information, go to Assign a Settings Profile.

Configure Preferences

You can choose to show the WatchGuard icon in the system tray of computers where WatchGuard Endpoint Security is installed.

To show the WatchGuard icon in the system tray:

1. Select Preferences.
2. Enable the Show icon in the system tray toggle.

Configure Updates

Configure the time and frequency of updates of the Endpoint Security software.

Update options are not configurable for Android devices. For more information, go to Configure Android Device Settings.

In the General settings of a workstations and servers settings profile, you can also configure automatic knowledge updates. For more information, go to Configure Automatic Knowledge (Signature File) Updates.

To configure updates to the endpoint security software:

1. Select Updates.
   

2. To automatically update the software on computers, enable the toggle.
   Updates occur as soon as they are available unless you specify a day and time.
   
3. Specify the time when the software can update. We recommend that you schedule updates when they will not interfere with other updates, backups, etc. Avoid Endpoint Security updates at the same time as Windows updates. Windows updates will take precedence and could cause the Endpoint Security update to fail.
   • To apply updates to the software on managed computers during a specified time period, specify the Start Time and End Time.
   • To allow updates to the software on managed computers at any time, select the Anytime check box.
4. To specify the days on which to apply software updates, select an option from the Apply Updates Only on the Following Days list:
   
   • Any Day — Applies updates when they are available, on any day of the week or month.
   • Days of the Week — Select the days of the week to apply updates. You must select at least one day. When an update is available, it runs on the first day of the week that matches the selection.
   • Days of the Month — In the Start Day and End Day boxes, select the days of the month between which to apply updates. When an update is available, it runs on the first day of the month that matches the selection.
   • On the Following Days — In the From and To calendars, select the dates between which to apply updates. This update does not repeat.

5. From the If a Restart Is Necessary to Complete the Update Process list, select an option:

   • Do Not Restart Automatically — A restart dialog box on the target computer prompts the user to restart the computer. The dialog box continues to open until the computer restarts.
   • Automatically Restart Workstations Only — Computers automatically restart after the update completes. Servers do not restart automatically.
   • Automatically Restart Servers Only — Servers automatically restart after the update completes. Computers do not restart automatically.
   • Automatically Restart Workstations and Servers — Computers and servers automatically restart after the update completes.

   The actual time when the restart begins is four hours after the option you select. If a Windows update requires a reboot at the same time as the Endpoint Security update, then the WatchGuard Agent will not restart and the upgrade will fail.

Configure Security Against Tampering

Configure security against tampering to make sure that only authorized users can uninstall, disable, or uninstall WatchGuard Endpoint Security.

We recommend that you configure a password if you enable any of these options:

Require a password to uninstall the protection locally from the protected computer

If you enable this option, users must enter the configured password to uninstall the WatchGuard Endpoint Security protection or the WatchGuard Agent from any computer that has these settings applied. This prevents unauthorized uninstallations. This feature is not available for Linux and Mac endpoints.

Allow the protections to be temporarily enabled or disabled from the protected computer

If you enable this option, users must enter the configured password to get access to the administrator panel on the protected computer. In the WatchGuard Endpoint Security window, users can temporarily enable and disable WatchGuard Endpoint Security. After the specified time period, the changes revert to the settings specified in the profile applied to the computer.

Enable anti-tamper protection

Anti-tamper protection makes sure that only authorized users can uninstall, disable, or uninstall WatchGuard Endpoint Security. If you enable this option, the configured password is required to disable anti-tamper protection locally from the protected computer.

If a computer loses its license because it is manually removed or because it expires or is canceled, the Anti-Tamper Protection and password-based uninstallation protection are disabled.

To configure security against tampering:

1. Select Security Against Unauthorized Protection Tampering.

2. To require the user on the client Windows computer to enter a password to uninstall WatchGuard Endpoint Security, enable the Request Password to Uninstall the Protection from Computers toggle.
3. To allow administrators to temporarily manage computer security settings from the endpoint software on the computer, enable the Allow the Protections to Be Temporarily Enabled/Disabled from the Computer's Local Console toggle.
   
4. To stop users and malware that try to disable protection, enable the Enable Anti-Tamper Protection toggle.
5. To protect network Windows computers in Safe Mode from tampering, enable the Enable Protection when Windows Computers Start in Safe Mode toggle.
   In Safe Mode, antivirus is automatically disabled. Some types of malware force Windows computers to restart in Safe Mode with networking enabled. When you enable this toggle, all configured protections remain active to provide protection for your Windows computers.
   
6. If you enabled any toggle, in the Password Required to Perform Advanced Management Tasks Locally from your Computers text box, specify the password the user must enter on the client computer.
7. To enable two-factor authentication when the user logs in to the local management UI or when they try to uninstall the protection software from an endpoint, select the Enable Two-Factor Authentication (2FA) toggle.
8. Generate a QR code. For more information, go to Generate a QR Code for Two-Factor Authentication.
9. Click Save.

Generate a QR Code for Two-Factor Authentication

When you enable two-factor authentication, you generate a QR code to scan with AuthPoint, or any authenticator app, to create a token. When enabled, two-factor authentication is required in AuthPoint or another authenticator app to log in to the local management UI or to uninstall the protection software from a device.

You can scan a QR code that can be shared on the entire account or create a unique QR code for each per-computer settings profile.

Generate a Shared QR Code

Generate a QR code that is automatically shared to all per-computer settings profiles in the account.

To generate a shared QR code for the account:

1. In the Security Against Unauthorized Protection Tampering section, enter a password to perform advanced management tasks locally from your computers.
2. Select Enable Two-Factor Authentication (2FA).
3. Select Use a QR Code Shared Across the Entire Account.
   All per-computer settings profiles will share the same QR code.

4. Click Show QR Code.

5. Scan the QR code in the AuthPoint app (or another authenticator app) to activate a token.
   Make sure that all administrators with the existing QR code use the new QR code to activate a new token.
   
6. Click Close.
7. Save the updated configuration settings profile.
   The QR code is saved in this settings profile and applies to all per-computer settings profiles assigned to your computers.

Generate a QR Code for a Single Per-Computer Settings Profile

When you generate a QR code for each per-computer settings profile, each administrator requires the QR code to activate a token and access the local management UI or uninstall the protection software from a device.

To generate a QR code for this per-computer settings profile:

1. In the Security Against Unauthorized Protection Tampering section, enter a password to perform advanced management tasks locally from your computers.
2. Select Enable Two-Factor Authentication (2FA).
3. Select Generate a QR Code for this Configuration.

4. Click Generate Code.

5. Enter a 6- to 20-character combination of letters and numbers for the QR code key.
   This QR code key (passphrase) is linked to the generated QR code. You can reuse the QR code key in other per-computer settings profiles to enable two-factor authentication.
   
6. Click Generate Code.

7. Scan the QR code in the authenticator app, such as AuthPoint.
8. Click Close.
9. Save the updated configuration settings profile.
   Administrators can use this QR code key (passphrase) in other security settings profiles to generate the same QR code.

Configure Shadow Copies

Shadow copies is a technology included in Windows computers that can create a snapshot of computer files, even when they are in use. From WatchGuard Endpoint Security, you can remotely interact with the Windows Shadow Copies service on the computers on the network. This feature is available for endpoints that run Windows Vista or Windows 2003 Server, and higher.

When enabled in WatchGuard Endpoint Security, Windows creates a shadow copy every 24 hours. WatchGuard Endpoint Security retains up to 7 copies at a given time. You cannot delete a shadow copy created by the software (WatchGuard Advanced EPDR, EPDR, EDR, and EPP). To restore a backup, you must use the Windows Shadow Copies app on your computer.

To enable shadow copies for endpoints in WatchGuard Endpoint Security:

1. Select Shadow Copies.

2. Enable the Activate Windows Shadow Copies to Create a Backup of your Computer's Files Every Day toggle.
   Windows creates shadow copies of your computer files. WatchGuard Endpoint Security retains up to 7 copies of a file.
3. In the Maximum Space for Shadow Copies text box, enter a value between 5% and 20%.
   By default, the value is set to 10%. We recommend a value between 5% and 20%. Shadow Copies makes sure that the set volume is not exceeded. This value has priority over other space settings established by the network administrator.

Related Topics

Manage Settings

Copy a Settings Profile

Edit a Settings Profile

Assign a Settings Profile

Configure the WatchGuard Agent Remotely